Other than the odd time when I’ll go down to Future Shop and make a purchase, I do almost all of my shopping online these days. Part of that reason is that I live in a small town that really doesn’t have a great selection for many items. The other reason is that I’m often busy, and so I can simply make an order online and have it show up a week to ten days later.
The same can be said when I travel too. Other than the markets that you find all over the word, and the odd mall, some things on the road are still best to purchase online. A good example of that is when I bought a new DVD drive for my Macbook Air while in Thailand. I simply logged into Thai version of the Apple store and had the item shipped to me in Thailand. Since Singapore is one of their main hubs, it only took two days for that item to get to me.
To facilitate eCommerce, it is often helpful to have your credit card information on your computer in a text file. The problem with that of course is that if anyone gets access to your computer, they can easily get access to all your accounts. If you keep scans of your identify information (such as a Passport, which I often do), then it’s possible for someone accessing your computer to have all of your identify information as well, including where you live.
Using an Encrypted Drive
To best solution for storing sensitive information on your computer that I’ve found is to use TrueCrypt to store encrypted information on your computer. Basically TrueCrypt creates a file on your computer that when accessed looks and feels like simply another hard drive on your computer. The difference is that a TrueCrypt volume is encrypted with government-grade encryption that cannot be accessed without entering the proper password. And like a hard-drive, you can simply mount or unmount it at will – whenever you mount it, you will need to supply the password, which hopefully only you know.
Layering TrueCrypt on DropBox
I’ve actually taken this a step further and put my TrueCrypt volume onto DropBox. This means that I can access my encrypted information from any computer I have, and have that information reside up in the cloud. Since the volume is encrypted, it is simply impossible to access that information without knowledge of the password (which you choose when creating the volume).
I basically keep all of my credit card information, personal account numbers, bank transit numbers, scans of void cheques, and copies of my passport inside my encrypted volume. If someone were to steal my computer, and access it before my screensaver lock kicked in, they would be unable to see any of that sensitive information or forcibly access it by pulling the hard-drive out.
Some people may be content simply storing this information on their computer and trusting that the login password is enough, and that’s fair. But I much prefer using TrueCrypt (which is free) to add another layer of security for that type of information, ensuring that there really is no possible way that information can be extracted without knowledge of the password.
Cool! I downloaded that app and have set up a 5GB container on DropBox to store files containing sensitive information. Great advice given the recent security flaws DropBox have gone through.
Well… first let me say, that as horrible as an idea as it is, sometimes you just have no choice but to keep text copies of your sensitive personal data in a file somewhere, whether that file be on the net, on a hard drive, or on a piece of paper in an actual filing cabinet. The cyber-security professional in me screams “never write anything down!!!”, but I’m plenty guilty myself. My last job for instance, granted me root access to over 300 critical telecommunications infrastructure servers. Many of the passwords were the same, but whole swaths of server farms had completely different password rules … some had to be changed monthly, some never. Some would let you toggle between your two favorite passwords, some wouldn’t let you use any of your last TEN passwords. Some had Kerberos authentication, some had SecureID, some were time based, some were, well, you get the picture – it was impossible to remember my credentials on any given system, and these were NOT systems you wanted to have three wrong guesses on, so I needed to create a file of all my current credentials and have that file available to me from anywhere in the world.
I had a very similar system as TrueCrypt – a military grade encrypted file that mounts as a hard drive when the correct passphrase is given. There were striking differences though. For one, the file would eat itself if three wrong passwords were given (overwrite itself 4 times with nulls, 0xFF’s, random characters, then nulls again – because as any forensics expert knows, you can delete a file, but there are still residual traces on the hard drive). Also, access to the file required 3 factor authentication … but hey, this is overkill for a few credit card numbers and all the keys to your identity, right? Well, maybe, maybe not.
I’ll tell you right now, if I were to steal your laptop Duane, the first thing I’d do is boot it off a linux security distro disc like knoppix s-t-d.org and use chntpw to change your administrator password and cmospwd to change your CMOS passowrd. 2 minutes and I would then safely boot into your laptop with full admin privileges. I would first search for encrypted files and drives because that’s where the good stuff is, right? Your dropbox probably mounts automatically, which means the credentials are stored in a file somewhere – not that I need them, it mounts automatically… but knowing one password means I probably know a lot of your passwords, so revealing it is a priority (and trust me, I’ve never met an MD5 hash I couldn’t bust in under 90 minutes)- lots of passwords are probably stored in there… your icloud, facebook, twitter, instagram, maybe even this blog… oh, or maybe BraveNewCode servers? If I find just one password, I can more than likely use it on more than one system – but let’s get back to the task at hand; the TrueCrypt file I just discovered in your Dropbox folder, alluringly named “everything_you_need_to_steal_my_identity.tz” or something similarly enticing.
I would immediately copy it offline to a server dedicated to brute force attacking the password hash. You are one savvy computer dude, so I’d expect nothing less than a Triple blowfish 1344 bit encryption algorythm – no AES or DES for you – so I suspect this crack may take upwards of a week, possible even two, to brute force my way in.
And therein lies the crux of this diatribe. The purpose of encryption is to render the data contained “obsolete” before the encryption scheme fails. Every encryption scheme will fail eventually, the task is to slow the hacker/intruder long enough so that you have time to cancel your credit cards, void your passport, change your passwords, etc, etc, do whatever you need to do to be safe BEFORE it is safe to assume that your private data is in the hands of someone very capable, and very nasty.
And that’s the moral of the story; take precautions, safeguard your data, but have a contingency plan that you’re ready to activate, should your data be stolen. your data won’t be safe for long, even if encrypted – all you’ve bought yourself is time.
By the way, your laptop DOES call home if it goes missing, right? There’s an app for that… it tells you exactly where it is, and even activates the camera so you can take snapshots of the thief that’s trying to access your system. But that’s another story 😉
I don’t think there is a system a person could devise that couldn’t be broken with enough time or determination. But there are a lot of easier ways to get my credit card information than hacking my computer – for example it’s probably easier to wait until I have a few drinks and then slip my wallet out of my back pocket. It’s also probably easier to buy credit card numbers online (and people do sell them) than to attempt to remove them from an encrypted drive.
I look at it like The Club for automobiles. Sure, a person could break in and cut the club/steering wheel to take the car – but when there are easier cars to steal, why bother?
And yes my laptop calls home, but that’s only if someone is dumb enough to allow it to get on the internet after steeling it. I know lots of people are that dumb, but anyone who is tech savvy probably wouldn’t.
But I agree, it does buy time to cancel cards and what-not, and I think good enough for most people.